Sunday, October 16, 2016

Cyber Security News of the Week, October 16, 2016



CYBERSECURITY NEWS

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP

Individuals at Risk

Identity Theft

Unsecured database lets hacker expose 58 million plus records from data management firm: A hacker scanning for unsecured databases was able to compromise at least 58.8 million records – and possibly as many as 258 million – from Modern Business Solutions (MBS), a data management and monetization firm primarily serving the automotive, employment and real-estate industries. SCMagazine, October 13, 2016

Cyber Update

GOOGLE PLUGS 21 SECURITY HOLES IN CHROME: Google on Wednesday patched 21 security vulnerabilities in Chrome, including a half dozen rated high severity that were reported by external researchers and were eligible for a bounty. ThreatPost, October 13, 2016
Microsoft: No More Pick-and-Choose Patching: Adobe and Microsoft today each issued updates to fix critical security flaws in their products. Adobe’s got fixes for Acrobat and Flash Player ready. Microsoft’s patch bundle for October includes fixes for at least five separate “zero-day” vulnerabilities — dangerous flaws that attackers were already exploiting prior to today’s patch release. Also notable this month is that Microsoft is changing how it deploys security updates, removing the ability for Windows users to pick and choose which individual patches to install. KrebsOnSecurity, October 11, 2016

Information Security Management in the Organization

Information Security Governance

Questions Every CIO Should Ask the Cybersecurity Leader: Part 1: Over the past several years, the widespread escalation of cybersecurity focus by boards and governments around the globe has increased the visibility, funding, influence and sophistication of the role of an organization’s cybersecurity leader — often in that order. SecurityIntellegence, October 14, 2016
An Information Security Survival Guide — Focus on Culture: Information security is viewed in some organizations as a function owned by a few individuals or one department. However, with human error continuing to remain the most prominent cause of data breaches, it is important to create a corporate culture that views information security as a shared responsibility among all employees. InfoSecurity, October 14, 2016
80% Of IT Pros Say Users Set Up Unapproved Cloud Services: Shadow IT is a growing risk concern among IT pros, with most reporting users have gone behind their backs to set up unapproved cloud services. DarkReading, October 13, 2016
Information Security Spending Will Top $101 Billion By 2020: Security executives often blame a lack of budget for their inability to stay on top of existing and emerging threats. But recent trends in security spending suggest that they would have less of an argument for doing so over the next few years. DarkReading, October 13, 2016

Cyber Warning

POPULAR ANDROID APP LEAKS MICROSOFT EXCHANGE USER CREDENTIALS: A popular Android app used to access corporate email, calendar and contacts via Microsoft Exchange servers is vulnerable to leaking user credentials to attackers. ThreatPost, October 14, 2016
Symantec reports surge in phishing attacks using Windows Script File (WSF) attachments: Symantec researchers noted an uptick in phishing email attacks using malicious Windows Script File (WSF) attachments to infect users with Locky, and in some cases Cerber, ransomware. SCMagazine, October 13, 2016

Cyber Law

Yahoo Breach May Trigger ‘Material Adverse Change’ Clause: The Yahoo data breach, which compromised 500 million user accounts, may cause Verizon to renegotiate its $4.8 billion acquisition deal. DarkReading, October 14, 2016
The law of encryption workarounds, Orin Kerr, The George Washington University Law School: In my recent post, I noted that a lot of the recent legal developments in the field of computer crime law are about responses to encryption. I thought I would expand on the theme of what I’ll call “the law of encryption workarounds.” The Washington Post, October 14, 2016
The path of computer crime law, Orin Kerr, The George Washington University Law School: Every year, I complete a new supplement to my Computer Crime Law casebook that includes the latest cases as well as the latest statutes. I recently handed in the materials for the 2017 Supplement, and the experience of updating my book made me think about how the field is evolving. Here are some thoughts. The Washington Post, October 13, 2016

Cyber Security in Society

Cyber Crime

Hackers hijacked these law enforcement computers for ransom: In Maine, cybercriminals took over the computer system shared by five police agencies for about two weeks last year until the departments paid the crooks $300. In Los Angeles, a large hospital shelled out $17,000 this year to regain access to its electronic medical records that criminal hackers took hostage. And in eastern Ohio, Columbiana County was forced to pay more than $2,800 in ransom in June after computers in its juvenile court system became infected. PBS, October 13, 2016

Know Your Enemy

Self-Checkout Skimmers Go Bluetooth: This blog has featured several stories about payment card skimming devices designed to be placed over top of credit card terminals in self-checkout lanes at grocery stores and other retailers. Many readers have asked for more details about the electronics that power these so-called “overlay” skimmers. Here’s a look at one overlay skimmer equipped with Bluetooth technology that allows thieves to snarf swiped card data and PINs wirelessly using nothing more than a mobile phone. KrebsOnSecurity, October 14, 2016
Companies Should Understand Where Cybercrime Thrives: As global cybercrime increases, governments and businesses are struggling to keep up with the threats they are facing. Because of the changing and innovative methods of attack being used against them, it is of the utmost importance that they constantly refine their knowledge of the particular enemies they face. Harvard Business Review, October 12, 2016

National Cyber Security

Feds Investigate Email Hack of Clinton Campaign Boss: Hillary Clinton’s campaign chairman has claimed the FBI is investigating whether Russian hackers were behind a cyber-attack on his private email. InfoSecurity, October 13, 2016
US election: Have Russian hackers already handed Putin a win?: (CNN)Russian hackers have already scored key goals in their apparent bid to disrupt the US presidential election, according to researchers monitoring the closely fought political campaign. CNN, October 12, 2016
How Russian hackers will impact the encryption debate on Capitol Hill: Could encryption have saved the Democratic National Committee from a cyberattack we now know came directed by Russian intelligence? FedScoop, October 12, 2016

Cyber Gov

Inspector General: Secret Service’s IT Has ‘Unacceptable Vulnerabilities’: “Unacceptable vulnerabilities” exist in the U.S. Secret Service’s information technology, leaving systems susceptible to potential unauthorized employee access, the Department of Homeland Security inspector general says. GovInfoSecurity, October 14, 2016
Inspector general: DHS makes strides under cyber law, falls short on contractor data security: The Department of Homeland Security’s inspector general’s office has determined that DHS has “taken a number of steps” to implement cybersecurity controls across the agency under the Cybersecurity Act of 2015, but could benefit from additional capabilities and policies to assure contractors’ data security. The report , which offers no policy recommendations, found that the department has developed agency-wide access policies for providing access to systems with personally identifiable information in compliance with federal standards. Further, it revealed that DHS…Inside Cybersecurity, October 4, 2016

Cyber Politics

New survey finds cybersecurity a major issue for millennial voters: In a year that has seen several high-profile hacks, from Yahoo to the Democratic National Committee, millennial voters increasingly see cybersecurity as a major election issue, according to a new survey from Raytheon and the National Cyber Security Alliance (NCSA). CBS, October 12, 2016

Financial Cyber Security

Critics Blast New York’s Proposed Cybersecurity Regulation as Too Hard on Smaller Banks: In January, banks and other financial services companies based in New York may have to comply with tough new cybersecurity requirements outlined in what Gov. Andrew Cuomo says would be the nation’s first state regulation designed to help thwart cyberattacks against the financial sector. BankInfoSecurity, October 14, 2016
New Hacker Group Targets SWIFT-Using Banks With Odinaff Malware: A malware-wielding gang has been targeting financial firms’ SWIFT software to inject fraudulent money-moving messages since at least January in “discreet campaigns” not tied to the Bangladesh Bank hack, security firm Symantec warns. BankInfoSecurity, October 13, 2016

Critical Infrastructure

Int’l Atomic Energy Agency chief: Nuclear power plant was disrupted by cyber attack: A nuclear power plant became the target of a disruptive cyber attack two to three years ago, and there is a serious threat of militant attacks on such plants, the head of the United Nations nuclear watchdog said on Monday. Reuters, October 10, 2016

Internet of Things

IoT Devices as Proxies for Cybercrime: Multiple stories published here over the past few weeks have examined the disruptive power of hacked “Internet of Things” (IoT) devices such as routers, IP cameras and digital video recorders. This post looks at how crooks are using hacked IoT devices as proxies to hide their true location online as they engage in a variety of other types of cybercriminal activity — from frequenting underground forums to credit card and tax refund fraud. KrebsOnSecurity, October 13, 2016
Akamai Says Hackers Use ’Smart’ Devices like DVRs & Security Cameras to Test Stolen Usernames, Passwords: Attackers are hijacking DVRs, satellite antennas and networking devices to conduct mass tests of stolen login credentials, according to research from Akamai Technologies Inc., the latest sign that common household gadgets are being remotely marshaled for malicious activity. Wall Street Journal, October 12, 2016
Europe to Push New Security Rules Amid IoT Mess: The European Commission is drafting new cybersecurity requirements to beef up security around so-called Internet of Things (IoT) devices such as Web-connected security cameras, routers and digital video recorders (DVRs). News of the expected proposal comes as security firms are warning that a great many IoT devices are equipped with little or no security protections. KrebsOnSecurity, October 8, 2016

Cyber Enforcement

California Creates Cyber Crime Center to Support Cyber-Law Enforcement Across State: Attorney General Kamala D. Harris….announced the creation of the California Cyber Crime Center (C4), a new initiative within the California Department of Justice to fight crime in the digital era by bringing state-of-the-art digital forensic capabilities and cyber security expertise to law enforcement across the state. Redheaded Blackbelt, October 13, 2016

Cyber Event

Secure Coding Class for the Web: The major cause of application insecurity is the lack of secure software development practices. This highly intensive and interactive course provides essential application security training for web application, webservice and mobile software developers and architects. The class features a combination of lecture, security testing demonstration and code review. Event Date: October 17-21
THIRD ANNUAL LOS ANGELES CYBER SECURITY SUMMIT 2016-SILICON BEACH: Cyber attacks on corporations, governmental agencies and individuals are becoming increasingly widespread and regular, as well as more complex. In honor of National Cyber Security Awareness Month, LMU is once again hosting The Third Annual Cybersecurity Summit that brings together government officials, private business executives and cybersecurity experts to discuss the current and emerging threats that exist in today’s sophisticated cyber environment, and the technological advancements being made to countermeasure and manage these risks. Event Date: October 22, 2016

Jeff Snyder’s, SecurityRecruiter.comJeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810

SecurityRecruiter.com's Security Recruiter Blog